diff --git a/assisted_service_mcp/src/utils/log_analyzer/log_analyzer.py b/assisted_service_mcp/src/utils/log_analyzer/log_analyzer.py
index d0c6850..da2df16 100644
--- a/assisted_service_mcp/src/utils/log_analyzer/log_analyzer.py
+++ b/assisted_service_mcp/src/utils/log_analyzer/log_analyzer.py
@@ -4,7 +4,7 @@
 
 import json
 import logging
-from typing import Dict, List, Any, cast
+from typing import Dict, List, Any, cast, Iterator, Tuple
 
 import dateutil.parser
 import nestedarchive
@@ -40,9 +40,7 @@ def metadata(self) -> Dict[str, Any] | None:
                 raw_metadata = json.loads(cast(str | bytes, metadata_content))
 
                 # The metadata file contains cluster information at the root level
-                # Wrap it in a "cluster" key to match the expected structure
-                wrapped_metadata = {"cluster": raw_metadata}
-                self._metadata = self._clean_metadata_json(wrapped_metadata)
+                self._metadata = self._clean_metadata_json(raw_metadata)
             except Exception as e:
                 logger.error("Failed to load metadata: %s", e)
                 raise
@@ -51,20 +49,18 @@ def metadata(self) -> Dict[str, Any] | None:
     @staticmethod
     def _clean_metadata_json(md: Dict[str, Any]) -> Dict[str, Any]:
         """Clean metadata JSON by separating deleted hosts."""
-        installation_start_time = dateutil.parser.isoparse(
-            md["cluster"]["install_started_at"]
-        )
+        installation_start_time = dateutil.parser.isoparse(md["install_started_at"])
 
         def host_deleted_before_installation_started(host):
             if deleted_at := host.get("deleted_at"):
                 return dateutil.parser.isoparse(deleted_at) < installation_start_time
             return False
 
-        all_hosts = md["cluster"]["hosts"]
-        md["cluster"]["deleted_hosts"] = [
+        all_hosts = md["hosts"]
+        md["deleted_hosts"] = [
             h for h in all_hosts if host_deleted_before_installation_started(h)
         ]
-        md["cluster"]["hosts"] = [
+        md["hosts"] = [
             h for h in all_hosts if not host_deleted_before_installation_started(h)
         ]
 
@@ -181,15 +177,42 @@ def get_controller_logs(self) -> str:
             ),
         )
 
-    @staticmethod
-    def get_hostname(host: Dict[str, Any]) -> str:
-        """Extract hostname from host metadata."""
-        hostname = host.get("requested_hostname")
-        if hostname:
-            return hostname
+    def cluster_is_sno(self) -> bool:
+        """
+        Check if the cluster is a Single Node OpenShift (SNO) cluster.
+
+        Returns:
+            True if the cluster is SNO (high_availability_mode == "None"), False otherwise
+        """
+        try:
+            cluster = self.metadata
+            return (
+                cluster is not None and cluster.get("high_availability_mode") == "None"
+            )
+        except Exception:
+            return False
+
+    def all_host_journal_logs(
+        self,
+    ) -> Iterator[Tuple[Dict[str, Any], str]]:
+        """
+        Iterate over hosts and their journal logs, skipping hosts where journal.logs is not found.
 
+        Yields:
+            Tuple of (host, journal_logs) for each host with available journal logs
+        """
         try:
-            inventory = json.loads(host["inventory"])
-            return inventory["hostname"]
-        except (KeyError, json.JSONDecodeError):
-            return host.get("id", "unknown")
+            cluster = self.metadata
+        except Exception:
+            return
+
+        if cluster is None:
+            return
+
+        for host in cluster.get("hosts", []):
+            host_id = host["id"]
+            try:
+                journal_logs = self.get_host_log_file(host_id, "journal.logs")
+                yield host, journal_logs
+            except FileNotFoundError:
+                continue
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/__init__.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/__init__.py
index a1b809d..8c5a26f 100644
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/__init__.py
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/__init__.py
@@ -6,12 +6,44 @@
 import inspect
 
 from .base import Signature, ErrorSignature, SignatureResult
-from .basic_info import *  # noqa
-from .error_detection import *  # noqa
-from .performance import *  # noqa
-from .networking import *  # noqa
-from .advanced_analysis import *  # noqa
-from .platform_specific import *  # noqa
+
+# Import all individual signature classes
+# These are used dynamically via inspect.getmembers(), so we suppress unused import warnings
+from .components_version_signature import ComponentsVersionSignature  # noqa: F401
+from .sno_hostname_has_etcd import SNOHostnameHasEtcd  # noqa: F401
+from .api_invalid_certificate_signature import (
+    ApiInvalidCertificateSignature,  # noqa: F401
+)
+from .api_expired_certificate_signature import (
+    ApiExpiredCertificateSignature,  # noqa: F401
+)
+from .release_pull_error_signature import ReleasePullErrorSignature  # noqa: F401
+from .error_on_cleanup_install_device import ErrorOnCleanupInstallDevice  # noqa: F401
+from .missing_mc import MissingMC  # noqa: F401
+from .error_creating_read_write_layer import ErrorCreatingReadWriteLayer  # noqa: F401
+from .sno_machine_cidr_signature import SNOMachineCidrSignature  # noqa: F401
+from .duplicate_vip import DuplicateVIP  # noqa: F401
+from .nameserver_in_cluster_network import NameserverInClusterNetwork  # noqa: F401
+from .networks_mtu_mismatch import NetworksMtuMismatch  # noqa: F401
+from .dual_stack_bad_route import DualStackBadRoute  # noqa: F401
+from .dualstackr_dns_bug import DualstackrDNSBug  # noqa: F401
+from .user_managed_networking_load_balancer import (
+    UserManagedNetworkingLoadBalancer,  # noqa: F401
+)
+from .slow_image_download_signature import SlowImageDownloadSignature  # noqa: F401
+from .libvirt_reboot_flag_signature import LibvirtRebootFlagSignature  # noqa: F401
+from .ip_changed_after_reboot import IpChangedAfterReboot  # noqa: F401
+from .events_installation_attempts import EventsInstallationAttempts  # noqa: F401
+from .controller_warnings import ControllerWarnings  # noqa: F401
+from .user_has_logged_into_cluster import UserHasLoggedIntoCluster  # noqa: F401
+from .failed_request_triggers_host_timeout import (
+    FailedRequestTriggersHostTimeout,  # noqa: F401
+)
+from .controller_failed_to_start import ControllerFailedToStart  # noqa: F401
+from .machine_config_daemon_error_extracting import (
+    MachineConfigDaemonErrorExtracting,  # noqa: F401
+)
+from .container_crash_analysis import ContainerCrashAnalysis  # noqa: F401
 
 # Collect all signatures from all modules
 ALL_SIGNATURES = []
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/api_expired_certificate_signature.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/api_expired_certificate_signature.py
new file mode 100644
index 0000000..755dce3
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/api_expired_certificate_signature.py
@@ -0,0 +1,39 @@
+"""
+ApiExpiredCertificateSignature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class ApiExpiredCertificateSignature(ErrorSignature):
+    """Detect expired or not yet valid certificate in kube-apiserver logs."""
+
+    LOG_PATTERN = re.compile("x509: certificate has expired or is not yet valid.*")
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        path = f"{LOG_BUNDLE_PATH}/bootstrap/containers/bootstrap-control-plane/kube-apiserver.log"
+        try:
+            logs = log_analyzer.logs_archive.get(path)
+        except FileNotFoundError:
+            return None
+        invalid_api_log_lines = self.LOG_PATTERN.findall(logs)
+        if invalid_api_log_lines:
+            content = invalid_api_log_lines[0]
+            if (num_lines := len(invalid_api_log_lines)) > 1:
+                content += f"\nadditional {num_lines - 1} similar error log lines found"
+            return self.create_result(
+                title="Expired Certificate",
+                content=content,
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/api_invalid_certificate_signature.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/api_invalid_certificate_signature.py
new file mode 100644
index 0000000..5a2cd6c
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/api_invalid_certificate_signature.py
@@ -0,0 +1,39 @@
+"""
+ApiInvalidCertificateSignature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class ApiInvalidCertificateSignature(ErrorSignature):
+    """Detect invalid SAN values on certificate for AI API from controller logs."""
+
+    LOG_PATTERN = re.compile(
+        'time=".*" level=error msg=".*x509: certificate is valid.* not .*'
+    )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        try:
+            controller_logs = log_analyzer.get_controller_logs()
+        except FileNotFoundError:
+            return None
+
+        invalid_api_log_lines = self.LOG_PATTERN.findall(controller_logs)
+        if invalid_api_log_lines:
+            shown = invalid_api_log_lines[:5]
+            more = len(invalid_api_log_lines) - len(shown)
+            content = "\n".join(shown)
+            if more > 0:
+                content += f"\nadditional {more} similar error log lines found"
+            return self.create_result(
+                title="Invalid SAN values on certificate for AI API",
+                content=content,
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/basic_info.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/components_version_signature.py
similarity index 81%
rename from assisted_service_mcp/src/utils/log_analyzer/signatures/basic_info.py
rename to assisted_service_mcp/src/utils/log_analyzer/signatures/components_version_signature.py
index 9faa959..1b9964f 100644
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/basic_info.py
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/components_version_signature.py
@@ -1,6 +1,5 @@
 """
-Basic information and status signature analysis.
-These signatures provide fundamental information about the cluster and installation.
+ComponentsVersionSignature for OpenShift Assisted Installer logs.
 """
 
 import logging
@@ -18,15 +17,14 @@ def analyze(self, log_analyzer) -> Optional[SignatureResult]:
         """Analyze component versions."""
         try:
             metadata = log_analyzer.metadata
-            cluster_md = metadata.get("cluster", {})
 
             content_lines = []
 
-            release_tag = metadata.get("release_tag") or cluster_md.get("release_tag")
+            release_tag = metadata.get("release_tag")
             if release_tag:
                 content_lines.append(f"Release tag: {release_tag}")
 
-            versions = metadata.get("versions") or cluster_md.get("versions")
+            versions = metadata.get("versions")
             if versions:
                 if "assisted-installer" in versions:
                     content_lines.append(
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/advanced_analysis.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/container_crash_analysis.py
similarity index 57%
rename from assisted_service_mcp/src/utils/log_analyzer/signatures/advanced_analysis.py
rename to assisted_service_mcp/src/utils/log_analyzer/signatures/container_crash_analysis.py
index 5fea2fd..b8d1582 100644
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/advanced_analysis.py
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/container_crash_analysis.py
@@ -1,16 +1,14 @@
 """
-Advanced analysis signatures for OpenShift Assisted Installer logs.
-These signatures perform complex analysis across multiple log sources.
+ContainerCrashAnalysis signature for OpenShift Assisted Installer logs.
 """
 
-import json
 import logging
 import os
 import re
 from collections import defaultdict
 from datetime import datetime, timedelta
 from operator import itemgetter
-from typing import Any, Generator, Optional, Callable, List, Dict
+from typing import Optional, List, Dict
 
 from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
     LOG_BUNDLE_PATH,
@@ -18,281 +16,9 @@
 
 from .base import Signature, SignatureResult
 
-
-def operator_statuses_from_controller_logs(
-    controller_log: str, include_empty: bool = False
-):
-    operator_regex = re.compile(r"Operator ([a-z\-]+), statuses: \[(.*)\].*")
-    conditions_regex = re.compile(r"\{(.+?)\}")
-    condition_regex = re.compile(
-        r"([A-Za-z]+) (False|True) ([0-9a-zA-Z\-]+ [0-9a-zA-Z\:]+ [0-9a-zA-Z\-\+]+ [A-Z]+) (.*)"
-    )
-    operator_statuses = {}
-
-    for operator_name, operator_status in operator_regex.findall(controller_log):
-        if include_empty:
-            operator_statuses[operator_name] = {}
-        operator_conditions = operator_statuses.setdefault(operator_name, {})
-        for operator_conditions_raw in conditions_regex.findall(operator_status):
-            for (
-                condition_name,
-                condition_result,
-                condition_timestamp,
-                condition_reason,
-            ) in condition_regex.findall(operator_conditions_raw):
-                operator_conditions[condition_name] = {
-                    "result": condition_result == "True",
-                    "timestamp": condition_timestamp,
-                    "reason": condition_reason,
-                }
-
-    return operator_statuses
-
-
-def condition_has_result(
-    operator_conditions, expected_condition_name: str, expected_condition_result: bool
-) -> bool:
-    return any(
-        condition_values["result"] == expected_condition_result
-        for condition_name, condition_values in operator_conditions.items()
-        if condition_name == expected_condition_name
-    )
-
-
-def filter_operators(
-    operator_statuses,
-    required_conditions,
-    aggregation_function: Callable[[Generator[Any, None, None]], bool],
-):
-    return {
-        operator_name: operator_conditions
-        for operator_name, operator_conditions in operator_statuses.items()
-        if aggregation_function(
-            condition_has_result(
-                operator_conditions, required_condition_name, expected_condition_result
-            )
-            for required_condition_name, expected_condition_result in required_conditions
-        )
-    }
-
-
 logger = logging.getLogger(__name__)
 
 
-class EventsInstallationAttempts(Signature):
-    """Inspects events file to check for multiple installation attempts."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        """Analyze multiple installation attempts."""
-        try:
-            # Get all cluster events and partition them by reset events
-            all_events = log_analyzer.get_all_cluster_events()
-            partitions = log_analyzer.partition_cluster_events(all_events)
-            installation_attempts = len(partitions)
-
-            if installation_attempts != 1:
-                current_events = log_analyzer.get_last_install_cluster_events()
-                if current_events:
-                    last_attempt_first_event = current_events[0]
-                    content = (
-                        f"The events file for this cluster contains events from {installation_attempts} installation attempts.\n"
-                        f"When reading the events for this ticket, make sure you look only at the events for the last installation attempt,\n"
-                        f"the first event in that attempt happened around {last_attempt_first_event['event_time']}."
-                    )
-
-                    return SignatureResult(
-                        signature_name=self.name,
-                        title="Multiple Installation Attempts in Events File",
-                        content=content,
-                        severity="warning",
-                    )
-
-        except Exception as e:
-            logger.error("Error in EventsInstallationAttempts: %s", e)
-
-        return None
-
-
-class ControllerWarnings(Signature):
-    """Search for warnings in controller logs."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        try:
-            controller_logs = log_analyzer.get_controller_logs()
-        except FileNotFoundError:
-            return None
-        warnings = re.findall(r'time=".*" level=warning msg=".*', controller_logs)
-        if warnings:
-            shown = warnings[:10]
-            content = "\n".join(shown)
-            if len(warnings) > 10:
-                content += (
-                    f"\nThere are {len(warnings) - 10} additional warnings not shown"
-                )
-            return SignatureResult(
-                signature_name=self.name,
-                title="Controller warning logs",
-                content=content,
-                severity="warning",
-            )
-        return None
-
-
-class UserHasLoggedIntoCluster(Signature):
-    """Detect user login to cluster nodes during installation."""
-
-    USER_LOGIN_PATTERN = re.compile(
-        r"pam_unix\((sshd|login):session\): session opened for user .+ by"
-    )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        cluster = log_analyzer.metadata.get("cluster", {})
-        msgs = []
-        for host in cluster.get("hosts", []):
-            host_id = host["id"]
-            try:
-                journal_logs = log_analyzer.get_host_log_file(host_id, "journal.logs")
-            except FileNotFoundError:
-                continue
-            if self.USER_LOGIN_PATTERN.findall(journal_logs):
-                msgs.append(
-                    f"Host {host_id}: found evidence of a user login during installation. This might indicate that some settings have been changed manually; if incorrect they could contribute to failure."
-                )
-        if msgs:
-            return SignatureResult(
-                signature_name=self.name,
-                title="User has logged into cluster nodes during installation",
-                content="\n".join(msgs),
-                severity="warning",
-            )
-        return None
-
-
-class FailedRequestTriggersHostTimeout(Signature):
-    """Look for failed requests that could have caused host timeout."""
-
-    LOG_PATTERN = re.compile(
-        r'time="(?P<time>.+)" level=(?P<severity>[a-z]+) msg="(?P<message>.*api\.openshift\.com/api/assisted-install.*Service Unavailable)" file=.+'
-    )
-    HOST_TIMED_OUT_STATUS_INFO = (
-        "Host failed to install due to timeout while connecting to host"
-    )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        cluster = log_analyzer.metadata.get("cluster", {})
-        failed_requests_hosts = set()
-        timed_out_hosts = {
-            h["id"]
-            for h in cluster.get("hosts", [])
-            if h.get("status_info") == self.HOST_TIMED_OUT_STATUS_INFO
-        }
-        for host in cluster.get("hosts", []):
-            try:
-                agent_logs = log_analyzer.get_host_log_file(host["id"], "agent.logs")
-            except FileNotFoundError:
-                continue
-            if len(self.LOG_PATTERN.findall(agent_logs)) > 0:
-                failed_requests_hosts.add(host["id"])
-        intersect = failed_requests_hosts & timed_out_hosts
-        if intersect:
-            content = "\n".join(
-                f"Host {host_id} has request failures and timed out. Did the request cause the host to timeout?"
-                for host_id in sorted(intersect)
-            )
-            return SignatureResult(
-                signature_name=self.name,
-                title="Failed request triggering host timeout",
-                content=content,
-                severity="warning",
-            )
-        if failed_requests_hosts and timed_out_hosts:
-            return SignatureResult(
-                signature_name=self.name,
-                title="Failed request triggering host timeout",
-                content=(
-                    f"Cluster has at least one host that failed requests ({', '.join(sorted(failed_requests_hosts))}) and at least one host that timed out ({', '.join(sorted(timed_out_hosts))})"
-                ),
-                severity="warning",
-            )
-        return None
-
-
-class ControllerFailedToStart(Signature):
-    """Looks for controller readiness in pods.json when bootstrap is 'Waiting for controller'."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        cluster = log_analyzer.metadata.get("cluster", {})
-        bootstrap = [h for h in cluster.get("hosts", []) if h.get("bootstrap")] or []
-        if not bootstrap:
-            return None
-        if bootstrap[0]["progress"]["current_stage"] != "Waiting for controller":
-            return None
-        path = f"{LOG_BUNDLE_PATH}/resources/pods.json"
-        try:
-            pods_json = log_analyzer.logs_archive.get(path)
-        except FileNotFoundError:
-            return None
-        try:
-            pods = json.loads(pods_json)
-            controller_pod = [
-                pod
-                for pod in pods.get("items", [])
-                if pod.get("metadata", {}).get("namespace") == "assisted-installer"
-            ][0]
-        except Exception:
-            return None
-        try:
-            ready = [
-                condition.get("status") == "True"
-                for condition in controller_pod.get("status", {}).get("conditions", {})
-                if condition.get("type") == "Ready"
-            ][0]
-        except Exception:
-            ready = False
-        conditions_tbl = self.generate_table(
-            controller_pod.get("status", {}).get("conditions", [])
-        )
-        containers_tbl = self.generate_table(
-            controller_pod.get("status", {}).get("containerStatuses", [])
-        )
-        content = (
-            f"The controller pod {'is' if ready else 'is not'} ready.\n"
-            f"Conditions:\n{conditions_tbl}\n\nContainer Statuses:\n{containers_tbl}"
-        )
-        return SignatureResult(
-            signature_name=self.name,
-            title="Assisted Installer Controller failed to start",
-            content=content,
-            severity="warning",
-        )
-
-
-class MachineConfigDaemonErrorExtracting(Signature):
-    """Looks for MCD firstboot extraction error (OCPBUGS-5352)."""
-
-    mco_error = re.compile(
-        r"must be empty, pass --confirm to overwrite contents of directory$",
-        re.MULTILINE,
-    )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        path = f"{LOG_BUNDLE_PATH}/control-plane/*/journals/machine-config-daemon-firstboot.log"
-        try:
-            mcd_logs = log_analyzer.logs_archive.get(path)
-        except FileNotFoundError:
-            return None
-        if self.mco_error.search(mcd_logs):
-            return SignatureResult(
-                signature_name=self.name,
-                title="machine-config-daemon could not extract machine-os-content",
-                content=(
-                    "machine-config-daemon-firstboot logs indicate a node may be hitting OCPBUGS-5352"
-                ),
-                severity="warning",
-            )
-        return None
-
-
 class ContainerCrashAnalysis(Signature):
     """Analyzes container crashes in the last 30 minutes of the install from kubelet logs."""
 
@@ -691,16 +417,3 @@ def _extract_last_lines(self, log_content: str, max_lines: int = 20) -> List[str
             if len(non_empty_lines) > max_lines
             else non_empty_lines
         )
-
-
-# Add more advanced analysis signatures here:
-# - AllInstallationAttemptsSignature (requires JIRA integration)
-# - MustGatherAnalysis
-# - NodeStatus
-# - UserManagedNetworkingLoadBalancer
-# - FailedRequestTriggersHostTimeout
-# - ControllerWarnings
-# - UserHasLoggedIntoCluster
-# - OSTreeCommitMismatch
-# - ControllerFailedToStart
-# - MachineConfigDaemonErrorExtracting
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/controller_failed_to_start.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/controller_failed_to_start.py
new file mode 100644
index 0000000..cfcd76f
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/controller_failed_to_start.py
@@ -0,0 +1,65 @@
+"""
+ControllerFailedToStart signature for OpenShift Assisted Installer logs.
+"""
+
+import json
+import logging
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class ControllerFailedToStart(Signature):
+    """Looks for controller readiness in pods.json when bootstrap is 'Waiting for controller'."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        cluster = log_analyzer.metadata
+        bootstrap = [h for h in cluster.get("hosts", []) if h.get("bootstrap")] or []
+        if not bootstrap:
+            return None
+        if bootstrap[0]["progress"]["current_stage"] != "Waiting for controller":
+            return None
+        path = f"{LOG_BUNDLE_PATH}/resources/pods.json"
+        try:
+            pods_json = log_analyzer.logs_archive.get(path)
+        except FileNotFoundError:
+            return None
+        try:
+            pods = json.loads(pods_json)
+            controller_pod = [
+                pod
+                for pod in pods.get("items", [])
+                if pod.get("metadata", {}).get("namespace") == "assisted-installer"
+            ][0]
+        except Exception:
+            return None
+        try:
+            ready = [
+                condition.get("status") == "True"
+                for condition in controller_pod.get("status", {}).get("conditions", {})
+                if condition.get("type") == "Ready"
+            ][0]
+        except Exception:
+            ready = False
+        conditions_tbl = self.generate_table(
+            controller_pod.get("status", {}).get("conditions", [])
+        )
+        containers_tbl = self.generate_table(
+            controller_pod.get("status", {}).get("containerStatuses", [])
+        )
+        content = (
+            f"The controller pod {'is' if ready else 'is not'} ready.\n"
+            f"Conditions:\n{conditions_tbl}\n\nContainer Statuses:\n{containers_tbl}"
+        )
+        return SignatureResult(
+            signature_name=self.name,
+            title="Assisted Installer Controller failed to start",
+            content=content,
+            severity="warning",
+        )
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/controller_warnings.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/controller_warnings.py
new file mode 100644
index 0000000..a192764
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/controller_warnings.py
@@ -0,0 +1,36 @@
+"""
+ControllerWarnings signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class ControllerWarnings(Signature):
+    """Search for warnings in controller logs."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        try:
+            controller_logs = log_analyzer.get_controller_logs()
+        except FileNotFoundError:
+            return None
+        warnings = re.findall(r'time=".*" level=warning msg=".*', controller_logs)
+        if warnings:
+            shown = warnings[:10]
+            content = "\n".join(shown)
+            if len(warnings) > 10:
+                content += (
+                    f"\nThere are {len(warnings) - 10} additional warnings not shown"
+                )
+            return SignatureResult(
+                signature_name=self.name,
+                title="Controller warning logs",
+                content=content,
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/dual_stack_bad_route.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/dual_stack_bad_route.py
new file mode 100644
index 0000000..a4f8ca8
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/dual_stack_bad_route.py
@@ -0,0 +1,37 @@
+"""
+DualStackBadRoute signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class DualStackBadRoute(ErrorSignature):
+    """Looks for BZ 2088346 in ovnkube-node logs."""
+
+    fatal_error_regex = re.compile(
+        r"^F.*failed to get default gateway interface$", re.MULTILINE
+    )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        path = f"{LOG_BUNDLE_PATH}/control-plane/*/containers/ovnkube-node-*.log"
+        try:
+            ovnkube_logs = log_analyzer.logs_archive.get(path)
+        except FileNotFoundError:
+            return None
+        if self.fatal_error_regex.search(ovnkube_logs):
+            return self.create_result(
+                title="Bugzilla 2088346",
+                content="ovnkube-node logs indicate the cluster may be hitting BZ 2088346",
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/dualstackr_dns_bug.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/dualstackr_dns_bug.py
new file mode 100644
index 0000000..aa65e1d
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/dualstackr_dns_bug.py
@@ -0,0 +1,34 @@
+"""
+DualstackrDNSBug signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class DualstackrDNSBug(ErrorSignature):
+    """Detect kube-apiserver 'must match public address family' message (MGMT-11651)."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        path = f"{LOG_BUNDLE_PATH}/bootstrap/containers/kube-apiserver-*.log"
+        try:
+            kubeapiserver_logs = log_analyzer.logs_archive.get(path)
+        except FileNotFoundError:
+            return None
+        if "must match public address family" in kubeapiserver_logs:
+            return self.create_result(
+                title="rDNS and DNS entries for IPv4/IPv6 interface - MGMT-11651",
+                content=(
+                    "kube-apiserver logs contain the message 'must match public address family', this is probably due to MGMT-11651"
+                ),
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/duplicate_vip.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/duplicate_vip.py
new file mode 100644
index 0000000..d06240f
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/duplicate_vip.py
@@ -0,0 +1,92 @@
+"""
+DuplicateVIP signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import os
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class DuplicateVIP(ErrorSignature):
+    """Looks for nodes holding the same VIP."""
+
+    # pylint: disable=too-many-nested-blocks,too-many-branches
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        """Analyze for duplicate VIP issues."""
+        try:
+            cluster = log_analyzer.metadata
+
+            # SNO doesn't need balancing
+            if cluster.get("high_availability_mode") == "None":
+                return None
+
+            # VIPs are not relevant with load balancer
+            if cluster.get("user_managed_networking") is True:  # noqa: E712
+                return None
+
+            vips = [vip["ip"] for vip in cluster.get("api_vips", [])]
+            if not vips:
+                return None
+
+            collisions = []
+            # Check control-plane nodes
+            try:
+                control_plane_dir = log_analyzer.logs_archive.get(
+                    f"{LOG_BUNDLE_PATH}/control-plane/"
+                )
+                for node_dir in self.archive_dir_contents(control_plane_dir):
+                    node_ip = os.path.basename(node_dir)
+                    try:
+                        ip_addr = log_analyzer.logs_archive.get(
+                            f"{LOG_BUNDLE_PATH}/control-plane/{node_ip}/network/ip-addr.txt"
+                        )
+                    except FileNotFoundError:
+                        continue
+                    for vip in vips:
+                        if vip in ip_addr:
+                            collisions.append((vip, node_ip))
+            except FileNotFoundError:
+                pass
+
+            # Check bootstrap
+            try:
+                bootstrap_ip_addr = log_analyzer.logs_archive.get(
+                    f"{LOG_BUNDLE_PATH}/bootstrap/network/ip-addr.txt"
+                )
+                for vip in vips:
+                    if vip in bootstrap_ip_addr:
+                        collisions.append((vip, "bootstrap"))
+            except FileNotFoundError:
+                pass
+
+            # Aggregate per VIP
+            vip_to_nodes = {}
+            for vip, node in collisions:
+                vip_to_nodes.setdefault(vip, set()).add(node)
+
+            dup_msgs = [
+                f"Found duplicate VIP {vip} in control-plane hosts {' and '.join(sorted(nodes))}"
+                for vip, nodes in vip_to_nodes.items()
+                if len(nodes) > 1
+            ]
+
+            if dup_msgs:
+                return self.create_result(
+                    title="VIP found in multiple nodes",
+                    content="\n".join(dup_msgs),
+                    severity="error",
+                )
+            return None
+
+        except Exception as e:
+            logger.error("Error in DuplicateVIP: %s", e)
+
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/error_creating_read_write_layer.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/error_creating_read_write_layer.py
new file mode 100644
index 0000000..bea5b1f
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/error_creating_read_write_layer.py
@@ -0,0 +1,60 @@
+"""
+ErrorCreatingReadWriteLayer signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import os
+from typing import Optional
+
+import yaml
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class ErrorCreatingReadWriteLayer(ErrorSignature):
+    """Detect pods failing with error creating read-write layer (BZ 1993243)."""
+
+    @staticmethod
+    def _is_bad_pod(pod):
+        return any(
+            containerStatus.get("state", {}).get("waiting", {}).get("reason")
+            == "CreateContainerError"
+            and "error creating read-write layer with ID"
+            in containerStatus.get("state", {}).get("waiting", {}).get("message", "")
+            for containerStatus in pod.get("status", {}).get("containerStatuses", [])
+        )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        try:
+            namespaces_dir = log_analyzer.logs_archive.get(
+                "controller_logs.tar.gz/must-gather.tar.gz/must-gather.local.*/quay-io-openshift-release-dev-*/namespaces"
+            )
+        except FileNotFoundError:
+            return None
+
+        messages = []
+        for namespace_dir in self.archive_dir_contents(namespaces_dir):
+            try:
+                pods_yaml_path = os.path.join(namespace_dir, "core", "pods.yaml")
+                pods_yaml = log_analyzer.logs_archive.get(pods_yaml_path)
+            except FileNotFoundError:
+                continue
+            try:
+                pods_doc = yaml.safe_load(pods_yaml) or {}
+                for pod in pods_doc.get("items", []):
+                    if self._is_bad_pod(pod):
+                        messages.append(
+                            f"Pod {pod['metadata']['name']} in namespace {pod['metadata']['namespace']} has a container with an error creating the read-write layer, see BZ 1993243"
+                        )
+            except Exception:
+                continue
+
+        if messages:
+            return self.create_result(
+                title="Error creating read-write layer - Bugzilla 1993243",
+                content="\n\n".join(messages),
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/error_detection.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/error_detection.py
deleted file mode 100644
index 6a1b281..0000000
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/error_detection.py
+++ /dev/null
@@ -1,244 +0,0 @@
-"""
-Error detection signatures for OpenShift Assisted Installer logs.
-These signatures identify specific error conditions during installation.
-"""
-
-import logging
-import os
-import re
-from collections import OrderedDict
-from typing import Optional
-
-import yaml
-from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
-    LOG_BUNDLE_PATH,
-)
-
-from .base import ErrorSignature, SignatureResult
-
-logger = logging.getLogger(__name__)
-
-# pylint: disable=duplicate-code
-
-
-class SNOHostnameHasEtcd(ErrorSignature):
-    """Looks for etcd in SNO hostname (OCPBUGS-15852)."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        """Analyze SNO hostname for etcd."""
-        try:
-            metadata = log_analyzer.metadata
-            cluster = metadata["cluster"]
-
-            if cluster.get("high_availability_mode") != "None":
-                return None
-
-            if len(cluster["hosts"]) != 1:
-                return None
-
-            hostname = log_analyzer.get_hostname(cluster["hosts"][0])
-            if "etcd" in hostname:
-                content = "Hostname cannot contain etcd, see https://issues.redhat.com/browse/OCPBUGS-15852"
-
-                return self.create_result(
-                    title="No etcd in SNO hostname", content=content, severity="error"
-                )
-
-        except Exception as e:
-            logger.error("Error in SNOHostnameHasEtcd: %s", e)
-
-        return None
-
-
-class ApiInvalidCertificateSignature(ErrorSignature):
-    """Detect invalid SAN values on certificate for AI API from controller logs."""
-
-    LOG_PATTERN = re.compile(
-        'time=".*" level=error msg=".*x509: certificate is valid.* not .*'
-    )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        try:
-            controller_logs = log_analyzer.get_controller_logs()
-        except FileNotFoundError:
-            return None
-
-        invalid_api_log_lines = self.LOG_PATTERN.findall(controller_logs)
-        if invalid_api_log_lines:
-            shown = invalid_api_log_lines[:5]
-            more = len(invalid_api_log_lines) - len(shown)
-            content = "\n".join(shown)
-            if more > 0:
-                content += f"\nadditional {more} similar error log lines found"
-            return self.create_result(
-                title="Invalid SAN values on certificate for AI API",
-                content=content,
-                severity="error",
-            )
-        return None
-
-
-class ApiExpiredCertificateSignature(ErrorSignature):
-    """Detect expired or not yet valid certificate in kube-apiserver logs."""
-
-    LOG_PATTERN = re.compile("x509: certificate has expired or is not yet valid.*")
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        path = f"{LOG_BUNDLE_PATH}/bootstrap/containers/bootstrap-control-plane/kube-apiserver.log"
-        try:
-            logs = log_analyzer.logs_archive.get(path)
-        except FileNotFoundError:
-            return None
-        invalid_api_log_lines = self.LOG_PATTERN.findall(logs)
-        if invalid_api_log_lines:
-            content = invalid_api_log_lines[0]
-            if (num_lines := len(invalid_api_log_lines)) > 1:
-                content += f"\nadditional {num_lines - 1} similar error log lines found"
-            return self.create_result(
-                title="Expired Certificate",
-                content=content,
-                severity="error",
-            )
-        return None
-
-
-class ReleasePullErrorSignature(ErrorSignature):
-    """Finds clusters where release image cannot be pulled by bootstrap node."""
-
-    ERROR_PATTERN = re.compile(r"release-image-download\.sh\[.+\]: Pull failed")
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        try:
-            cluster = log_analyzer.metadata["cluster"]
-        except Exception:
-            return None
-
-        hosts_sections = []
-        for host in cluster.get("hosts", []):
-            host_id = host["id"]
-            try:
-                journal_logs = log_analyzer.get_host_log_file(host_id, "journal.logs")
-            except FileNotFoundError:
-                continue
-            if self.ERROR_PATTERN.findall(journal_logs):
-                hosts_sections.append(
-                    f"Release image cannot be pulled on {host_id} ({log_analyzer.get_hostname(host)})"
-                )
-
-        if hosts_sections:
-            return self.create_result(
-                title="Release image cannot be pulled",
-                content="\n".join(hosts_sections),
-                severity="error",
-            )
-        return None
-
-
-class ErrorOnCleanupInstallDevice(ErrorSignature):
-    """Detect non-fatal errors during cleanupInstallDevice in installer logs."""
-
-    LOG_PATTERN = re.compile(r'msg="(?P<message>failed to prepare install device.*)"')
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        cluster = log_analyzer.metadata.get("cluster", {})
-        hosts = []
-        for host in cluster.get("hosts", []):
-            host_id = host["id"]
-            try:
-                installer_logs = log_analyzer.get_host_log_file(
-                    host_id, "installer.logs"
-                )
-            except FileNotFoundError:
-                continue
-            match = self.LOG_PATTERN.search(installer_logs)
-            if match:
-                hosts.append(
-                    OrderedDict(
-                        host=log_analyzer.get_hostname(host),
-                        message=match.group("message"),
-                    )
-                )
-        if hosts:
-            content = "cleanupInstallDevice function has failed for the following hosts. However, its failure does not block installation. Check logs to see if it is related to the installation failure\n"
-            content += self.generate_table(hosts)
-            return self.create_result(
-                title="Non-fatal error on cleanupInstallDevice",
-                content=content,
-                severity="warning",
-            )
-        return None
-
-
-class MissingMC(ErrorSignature):
-    """Looks for missing MachineConfig error in SNO clusters."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        cluster = log_analyzer.metadata.get("cluster", {})
-        if cluster.get("high_availability_mode") != "None":
-            return None
-        path = (
-            "controller_logs.tar.gz/must-gather.tar.gz/must-gather.local.*/quay-io-openshift-release-dev-*/cluster-scoped-resources/"
-            "machineconfiguration.openshift.io/machineconfigpools/master.yaml"
-        )
-        try:
-            raw = log_analyzer.logs_archive.get(path, mode="rb")
-        except FileNotFoundError:
-            return None
-        try:
-            text = raw.decode("utf-8")
-        except Exception:
-            return None
-        if re.search(r"rendered-master-[0-9a-f]{32}.*not found", text) is not None:
-            return self.create_result(
-                title="Missing MachineConfig issue",
-                content="Missing rendered MachineConfig issue detected",
-                severity="error",
-            )
-        return None
-
-
-class ErrorCreatingReadWriteLayer(ErrorSignature):
-    """Detect pods failing with error creating read-write layer (BZ 1993243)."""
-
-    @staticmethod
-    def _is_bad_pod(pod):
-        return any(
-            containerStatus.get("state", {}).get("waiting", {}).get("reason")
-            == "CreateContainerError"
-            and "error creating read-write layer with ID"
-            in containerStatus.get("state", {}).get("waiting", {}).get("message", "")
-            for containerStatus in pod.get("status", {}).get("containerStatuses", [])
-        )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        try:
-            namespaces_dir = log_analyzer.logs_archive.get(
-                "controller_logs.tar.gz/must-gather.tar.gz/must-gather.local.*/quay-io-openshift-release-dev-*/namespaces"
-            )
-        except FileNotFoundError:
-            return None
-
-        messages = []
-        for namespace_dir in self.archive_dir_contents(namespaces_dir):
-            try:
-                pods_yaml_path = os.path.join(namespace_dir, "core", "pods.yaml")
-                pods_yaml = log_analyzer.logs_archive.get(pods_yaml_path)
-            except FileNotFoundError:
-                continue
-            try:
-                pods_doc = yaml.safe_load(pods_yaml) or {}
-                for pod in pods_doc.get("items", []):
-                    if self._is_bad_pod(pod):
-                        messages.append(
-                            f"Pod {pod['metadata']['name']} in namespace {pod['metadata']['namespace']} has a container with an error creating the read-write layer, see BZ 1993243"
-                        )
-            except Exception:
-                continue
-
-        if messages:
-            return self.create_result(
-                title="Error creating read-write layer - Bugzilla 1993243",
-                content="\n\n".join(messages),
-                severity="error",
-            )
-        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/error_on_cleanup_install_device.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/error_on_cleanup_install_device.py
new file mode 100644
index 0000000..14c53c0
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/error_on_cleanup_install_device.py
@@ -0,0 +1,48 @@
+"""
+ErrorOnCleanupInstallDevice signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from collections import OrderedDict
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+from .helpers import get_hostname
+
+logger = logging.getLogger(__name__)
+
+
+class ErrorOnCleanupInstallDevice(ErrorSignature):
+    """Detect non-fatal errors during cleanupInstallDevice in installer logs."""
+
+    LOG_PATTERN = re.compile(r'msg="(?P<message>failed to prepare install device.*)"')
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        cluster = log_analyzer.metadata
+        hosts = []
+        for host in cluster.get("hosts", []):
+            host_id = host["id"]
+            try:
+                installer_logs = log_analyzer.get_host_log_file(
+                    host_id, "installer.logs"
+                )
+            except FileNotFoundError:
+                continue
+            match = self.LOG_PATTERN.search(installer_logs)
+            if match:
+                hosts.append(
+                    OrderedDict(
+                        host=get_hostname(host),
+                        message=match.group("message"),
+                    )
+                )
+        if hosts:
+            content = "cleanupInstallDevice function has failed for the following hosts. However, its failure does not block installation. Check logs to see if it is related to the installation failure\n"
+            content += self.generate_table(hosts)
+            return self.create_result(
+                title="Non-fatal error on cleanupInstallDevice",
+                content=content,
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/events_installation_attempts.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/events_installation_attempts.py
new file mode 100644
index 0000000..cd32848
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/events_installation_attempts.py
@@ -0,0 +1,44 @@
+"""
+EventsInstallationAttempts signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+from typing import Optional
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class EventsInstallationAttempts(Signature):
+    """Inspects events file to check for multiple installation attempts."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        """Analyze multiple installation attempts."""
+        try:
+            # Get all cluster events and partition them by reset events
+            all_events = log_analyzer.get_all_cluster_events()
+            partitions = log_analyzer.partition_cluster_events(all_events)
+            installation_attempts = len(partitions)
+
+            if installation_attempts != 1:
+                current_events = log_analyzer.get_last_install_cluster_events()
+                if current_events:
+                    last_attempt_first_event = current_events[0]
+                    content = (
+                        f"The events file for this cluster contains events from {installation_attempts} installation attempts.\n"
+                        f"When reading the events for this ticket, make sure you look only at the events for the last installation attempt,\n"
+                        f"the first event in that attempt happened around {last_attempt_first_event['event_time']}."
+                    )
+
+                    return SignatureResult(
+                        signature_name=self.name,
+                        title="Multiple Installation Attempts in Events File",
+                        content=content,
+                        severity="warning",
+                    )
+
+        except Exception as e:
+            logger.error("Error in EventsInstallationAttempts: %s", e)
+
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/failed_request_triggers_host_timeout.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/failed_request_triggers_host_timeout.py
new file mode 100644
index 0000000..cd4d845
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/failed_request_triggers_host_timeout.py
@@ -0,0 +1,60 @@
+"""
+FailedRequestTriggersHostTimeout signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class FailedRequestTriggersHostTimeout(Signature):
+    """Look for failed requests that could have caused host timeout."""
+
+    LOG_PATTERN = re.compile(
+        r'time="(?P<time>.+)" level=(?P<severity>[a-z]+) msg="(?P<message>.*api\.openshift\.com/api/assisted-install.*Service Unavailable)" file=.+'
+    )
+    HOST_TIMED_OUT_STATUS_INFO = (
+        "Host failed to install due to timeout while connecting to host"
+    )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        cluster = log_analyzer.metadata
+        failed_requests_hosts = set()
+        timed_out_hosts = {
+            h["id"]
+            for h in cluster.get("hosts", [])
+            if h.get("status_info") == self.HOST_TIMED_OUT_STATUS_INFO
+        }
+        for host in cluster.get("hosts", []):
+            try:
+                agent_logs = log_analyzer.get_host_log_file(host["id"], "agent.logs")
+            except FileNotFoundError:
+                continue
+            if len(self.LOG_PATTERN.findall(agent_logs)) > 0:
+                failed_requests_hosts.add(host["id"])
+        intersect = failed_requests_hosts & timed_out_hosts
+        if intersect:
+            content = "\n".join(
+                f"Host {host_id} has request failures and timed out. Did the request cause the host to timeout?"
+                for host_id in sorted(intersect)
+            )
+            return SignatureResult(
+                signature_name=self.name,
+                title="Failed request triggering host timeout",
+                content=content,
+                severity="warning",
+            )
+        if failed_requests_hosts and timed_out_hosts:
+            return SignatureResult(
+                signature_name=self.name,
+                title="Failed request triggering host timeout",
+                content=(
+                    f"Cluster has at least one host that failed requests ({', '.join(sorted(failed_requests_hosts))}) and at least one host that timed out ({', '.join(sorted(timed_out_hosts))})"
+                ),
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/helpers.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/helpers.py
new file mode 100644
index 0000000..ee7bec3
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/helpers.py
@@ -0,0 +1,77 @@
+"""
+Helper functions for signature analysis.
+"""
+
+import json
+import re
+from typing import Any, Generator, Callable, Dict
+
+
+def operator_statuses_from_controller_logs(
+    controller_log: str, include_empty: bool = False
+):
+    operator_regex = re.compile(r"Operator ([a-z\-]+), statuses: \[(.*)\].*")
+    conditions_regex = re.compile(r"\{(.+?)\}")
+    condition_regex = re.compile(
+        r"([A-Za-z]+) (False|True) ([0-9a-zA-Z\-]+ [0-9a-zA-Z\:]+ [0-9a-zA-Z\-\+]+ [A-Z]+) (.*)"
+    )
+    operator_statuses = {}
+
+    for operator_name, operator_status in operator_regex.findall(controller_log):
+        if include_empty:
+            operator_statuses[operator_name] = {}
+        operator_conditions = operator_statuses.setdefault(operator_name, {})
+        for operator_conditions_raw in conditions_regex.findall(operator_status):
+            for (
+                condition_name,
+                condition_result,
+                condition_timestamp,
+                condition_reason,
+            ) in condition_regex.findall(operator_conditions_raw):
+                operator_conditions[condition_name] = {
+                    "result": condition_result == "True",
+                    "timestamp": condition_timestamp,
+                    "reason": condition_reason,
+                }
+
+    return operator_statuses
+
+
+def condition_has_result(
+    operator_conditions, expected_condition_name: str, expected_condition_result: bool
+) -> bool:
+    return any(
+        condition_values["result"] == expected_condition_result
+        for condition_name, condition_values in operator_conditions.items()
+        if condition_name == expected_condition_name
+    )
+
+
+def filter_operators(
+    operator_statuses,
+    required_conditions,
+    aggregation_function: Callable[[Generator[Any, None, None]], bool],
+):
+    return {
+        operator_name: operator_conditions
+        for operator_name, operator_conditions in operator_statuses.items()
+        if aggregation_function(
+            condition_has_result(
+                operator_conditions, required_condition_name, expected_condition_result
+            )
+            for required_condition_name, expected_condition_result in required_conditions
+        )
+    }
+
+
+def get_hostname(host: Dict[str, Any]) -> str:
+    """Extract hostname from host metadata."""
+    hostname = host.get("requested_hostname")
+    if hostname:
+        return hostname
+
+    try:
+        inventory = json.loads(host["inventory"])
+        return inventory["hostname"]
+    except (KeyError, json.JSONDecodeError):
+        return host.get("id", "unknown")
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/platform_specific.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/ip_changed_after_reboot.py
similarity index 60%
rename from assisted_service_mcp/src/utils/log_analyzer/signatures/platform_specific.py
rename to assisted_service_mcp/src/utils/log_analyzer/signatures/ip_changed_after_reboot.py
index f4498cb..1027d44 100644
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/platform_specific.py
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/ip_changed_after_reboot.py
@@ -1,6 +1,5 @@
 """
-Platform-specific signatures for OpenShift Assisted Installer logs.
-These signatures analyze issues specific to certain platforms or virtualization technologies.
+IpChangedAfterReboot signature for OpenShift Assisted Installer logs.
 """
 
 import gzip
@@ -8,7 +7,6 @@
 import json
 import logging
 import re
-from collections import OrderedDict
 from typing import Optional
 
 from .base import ErrorSignature, SignatureResult
@@ -16,46 +14,6 @@
 logger = logging.getLogger(__name__)
 
 
-class LibvirtRebootFlagSignature(ErrorSignature):
-    """Detect potential libvirt _on_reboot_ flag issue (MGMT-2840)."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        md = log_analyzer.metadata
-        cluster = md["cluster"]
-        # not relevant for SNO
-        if len(cluster.get("hosts", [])) <= 1:
-            return None
-
-        hosts = []
-        for host in cluster.get("hosts", []):
-            inventory = json.loads(host.get("inventory", "{}"))
-            if (
-                len(inventory.get("disks", [])) == 1
-                and "KVM" in inventory.get("system_vendor", {}).get("product_name", "")
-                and host.get("progress", {}).get("current_stage") == "Rebooting"
-                and host.get("status") == "error"
-            ):
-                if host.get("role") == "bootstrap":
-                    continue
-                hosts.append(
-                    OrderedDict(
-                        id=host["id"],
-                        hostname=log_analyzer.get_hostname(host),
-                        role=host.get("role"),
-                        progress=host.get("progress", {}).get("current_stage"),
-                        status=host.get("status"),
-                        num_disks=len(inventory.get("disks", [])),
-                    )
-                )
-        if hosts and len(hosts) + 1 == len(cluster.get("hosts", [])):
-            return self.create_result(
-                title="Potential hosts with libvirt _on_reboot_ flag issue (MGMT-2840)",
-                content=self.generate_table(hosts),
-                severity="warning",
-            )
-        return None
-
-
 class IpChangedAfterReboot(ErrorSignature):
     """Detect if IP changed after reboot based on journals and inventory."""
 
@@ -86,8 +44,7 @@ def _get_address_map(self, inventory):
         return address_map
 
     def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        md = log_analyzer.metadata
-        cluster = md["cluster"]
+        cluster = log_analyzer.metadata
 
         for host in cluster.get("hosts", []):
             host_id = host["id"]
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/libvirt_reboot_flag_signature.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/libvirt_reboot_flag_signature.py
new file mode 100644
index 0000000..2e20102
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/libvirt_reboot_flag_signature.py
@@ -0,0 +1,52 @@
+"""
+LibvirtRebootFlagSignature for OpenShift Assisted Installer logs.
+"""
+
+import json
+import logging
+from collections import OrderedDict
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+from .helpers import get_hostname
+
+logger = logging.getLogger(__name__)
+
+
+class LibvirtRebootFlagSignature(ErrorSignature):
+    """Detect potential libvirt _on_reboot_ flag issue (MGMT-2840)."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        cluster = log_analyzer.metadata
+        # not relevant for SNO
+        if len(cluster.get("hosts", [])) <= 1:
+            return None
+
+        hosts = []
+        for host in cluster.get("hosts", []):
+            inventory = json.loads(host.get("inventory", "{}"))
+            if (
+                len(inventory.get("disks", [])) == 1
+                and "KVM" in inventory.get("system_vendor", {}).get("product_name", "")
+                and host.get("progress", {}).get("current_stage") == "Rebooting"
+                and host.get("status") == "error"
+            ):
+                if host.get("role") == "bootstrap":
+                    continue
+                hosts.append(
+                    OrderedDict(
+                        id=host["id"],
+                        hostname=get_hostname(host),
+                        role=host.get("role"),
+                        progress=host.get("progress", {}).get("current_stage"),
+                        status=host.get("status"),
+                        num_disks=len(inventory.get("disks", [])),
+                    )
+                )
+        if hosts and len(hosts) + 1 == len(cluster.get("hosts", [])):
+            return self.create_result(
+                title="Potential hosts with libvirt _on_reboot_ flag issue (MGMT-2840)",
+                content=self.generate_table(hosts),
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/machine_config_daemon_error_extracting.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/machine_config_daemon_error_extracting.py
new file mode 100644
index 0000000..b0b4ecb
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/machine_config_daemon_error_extracting.py
@@ -0,0 +1,41 @@
+"""
+MachineConfigDaemonErrorExtracting signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class MachineConfigDaemonErrorExtracting(Signature):
+    """Looks for MCD firstboot extraction error (OCPBUGS-5352)."""
+
+    mco_error = re.compile(
+        r"must be empty, pass --confirm to overwrite contents of directory$",
+        re.MULTILINE,
+    )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        path = f"{LOG_BUNDLE_PATH}/control-plane/*/journals/machine-config-daemon-firstboot.log"
+        try:
+            mcd_logs = log_analyzer.logs_archive.get(path)
+        except FileNotFoundError:
+            return None
+        if self.mco_error.search(mcd_logs):
+            return SignatureResult(
+                signature_name=self.name,
+                title="machine-config-daemon could not extract machine-os-content",
+                content=(
+                    "machine-config-daemon-firstboot logs indicate a node may be hitting OCPBUGS-5352"
+                ),
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/missing_mc.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/missing_mc.py
new file mode 100644
index 0000000..52d98c4
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/missing_mc.py
@@ -0,0 +1,39 @@
+"""
+MissingMC signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class MissingMC(ErrorSignature):
+    """Looks for missing MachineConfig error in SNO clusters."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        if not log_analyzer.cluster_is_sno():
+            return None
+
+        path = (
+            "controller_logs.tar.gz/must-gather.tar.gz/must-gather.local.*/quay-io-openshift-release-dev-*/cluster-scoped-resources/"
+            "machineconfiguration.openshift.io/machineconfigpools/master.yaml"
+        )
+        try:
+            raw = log_analyzer.logs_archive.get(path, mode="rb")
+        except FileNotFoundError:
+            return None
+        try:
+            text = raw.decode("utf-8")
+        except Exception:
+            return None
+        if re.search(r"rendered-master-[0-9a-f]{32}.*not found", text) is not None:
+            return self.create_result(
+                title="Missing MachineConfig issue",
+                content="Missing rendered MachineConfig issue detected",
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/nameserver_in_cluster_network.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/nameserver_in_cluster_network.py
new file mode 100644
index 0000000..b7b60f3
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/nameserver_in_cluster_network.py
@@ -0,0 +1,84 @@
+"""
+NameserverInClusterNetwork signature for OpenShift Assisted Installer logs.
+"""
+
+import ipaddress
+import logging
+import os
+import re
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
+    LOG_BUNDLE_PATH,
+)
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class NameserverInClusterNetwork(ErrorSignature):
+    """Detect nameservers that overlap with cluster networks."""
+
+    NAMESERVER_PATTERN = re.compile(r"^nameserver (.*)$")
+
+    def _get_nameservers(self, log_analyzer, base_path: str):
+        nameservers = set()
+        # control-plane
+        try:
+            control_plane_dir = log_analyzer.logs_archive.get(
+                f"{base_path}/control-plane/"
+            )
+            for node_dir in self.archive_dir_contents(control_plane_dir):
+                node_ip = os.path.basename(node_dir)
+                try:
+                    resolvconf = log_analyzer.logs_archive.get(
+                        f"{base_path}/control-plane/{node_ip}/network/resolv.conf"
+                    )
+                except FileNotFoundError:
+                    continue
+                for line in resolvconf.splitlines():
+                    m = self.NAMESERVER_PATTERN.search(line)
+                    if m:
+                        nameservers.add(m.group(1))
+        except FileNotFoundError:
+            pass
+        # bootstrap
+        try:
+            resolvconf = log_analyzer.logs_archive.get(
+                f"{base_path}/bootstrap/network/resolv.conf"
+            )
+            for line in resolvconf.splitlines():
+                m = self.NAMESERVER_PATTERN.search(line)
+                if m:
+                    nameservers.add(m.group(1))
+        except FileNotFoundError:
+            pass
+        return nameservers
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        md = log_analyzer.metadata
+        cidrs = [network["cidr"] for network in md.get("cluster_networks", [])]
+        if not cidrs:
+            return None
+
+        report_lines = []
+        nameservers = self._get_nameservers(log_analyzer, LOG_BUNDLE_PATH)
+        for ns in nameservers:
+            for cidr in cidrs:
+                try:
+                    if ipaddress.ip_address(ns) in ipaddress.ip_network(
+                        cidr, strict=False
+                    ):
+                        report_lines.append(
+                            f"User defined nameserver {ns} overlaps with the cluster network {cidr}"
+                        )
+                except ValueError:
+                    continue
+        if report_lines:
+            return self.create_result(
+                title="Nameserver in internal network",
+                content="\n".join(sorted(set(report_lines))),
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/networking.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/networking.py
deleted file mode 100644
index 805048d..0000000
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/networking.py
+++ /dev/null
@@ -1,323 +0,0 @@
-"""
-Networking analysis signatures for OpenShift Assisted Installer logs.
-These signatures analyze network configuration and connectivity issues.
-"""
-
-import json
-import logging
-import ipaddress
-import os
-import re
-from typing import Optional
-
-from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import (
-    LOG_BUNDLE_PATH,
-)
-from assisted_service_mcp.src.utils.log_analyzer.signatures.advanced_analysis import (
-    operator_statuses_from_controller_logs,
-    filter_operators,
-)
-
-from .base import Signature, ErrorSignature, SignatureResult
-
-logger = logging.getLogger(__name__)
-
-
-class SNOMachineCidrSignature(Signature):
-    """Validates machine CIDR configuration for SNO clusters."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        """Analyze SNO machine CIDR configuration."""
-        try:
-            metadata = log_analyzer.metadata
-            cluster = metadata["cluster"]
-
-            if cluster.get("high_availability_mode") != "None":
-                return None
-
-            if not cluster.get("hosts"):
-                return None
-            host = cluster["hosts"][0]
-            inventory = json.loads(host["inventory"])
-
-            # The first one is the machine_cidr that will be used for network configuration
-            machine_cidr = ipaddress.ip_network(cluster["machine_networks"][0]["cidr"])
-
-            for route in inventory.get("routes", []):
-                # currently only relevant for ipv4
-                if (
-                    route.get("destination") == "0.0.0.0"
-                    and route.get("gateway")
-                    and ipaddress.ip_address(route["gateway"]) in machine_cidr
-                ):
-                    return None
-
-            content = (
-                f"Machine cidr {machine_cidr} doesn't match any default route configured on the host.\n"
-                f"It will cause etcd certificate error (or some other) as kubelet and OVNKubernetes will not run with expected machine cidr.\n"
-                f"We hope it will be fixed after https://issues.redhat.com/browse/SDN-3053"
-            )
-
-            return SignatureResult(
-                signature_name=self.name,
-                title="Invalid Machine CIDR",
-                content=content,
-                severity="error",
-            )
-
-        except Exception as e:
-            logger.error("Error in SNOMachineCidrSignature: %s", e)
-            return None
-
-
-class DuplicateVIP(ErrorSignature):
-    """Looks for nodes holding the same VIP."""
-
-    # pylint: disable=too-many-nested-blocks,too-many-branches
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        """Analyze for duplicate VIP issues."""
-        try:
-            cluster = log_analyzer.metadata["cluster"]
-
-            # SNO doesn't need balancing
-            if cluster.get("high_availability_mode") == "None":
-                return None
-
-            # VIPs are not relevant with load balancer
-            if cluster.get("user_managed_networking") is True:  # noqa: E712
-                return None
-
-            vips = [vip["ip"] for vip in cluster.get("api_vips", [])]
-            if not vips:
-                return None
-
-            collisions = []
-            # Check control-plane nodes
-            try:
-                control_plane_dir = log_analyzer.logs_archive.get(
-                    f"{LOG_BUNDLE_PATH}/control-plane/"
-                )
-                for node_dir in self.archive_dir_contents(control_plane_dir):
-                    node_ip = os.path.basename(node_dir)
-                    try:
-                        ip_addr = log_analyzer.logs_archive.get(
-                            f"{LOG_BUNDLE_PATH}/control-plane/{node_ip}/network/ip-addr.txt"
-                        )
-                    except FileNotFoundError:
-                        continue
-                    for vip in vips:
-                        if vip in ip_addr:
-                            collisions.append((vip, node_ip))
-            except FileNotFoundError:
-                pass
-
-            # Check bootstrap
-            try:
-                bootstrap_ip_addr = log_analyzer.logs_archive.get(
-                    f"{LOG_BUNDLE_PATH}/bootstrap/network/ip-addr.txt"
-                )
-                for vip in vips:
-                    if vip in bootstrap_ip_addr:
-                        collisions.append((vip, "bootstrap"))
-            except FileNotFoundError:
-                pass
-
-            # Aggregate per VIP
-            vip_to_nodes = {}
-            for vip, node in collisions:
-                vip_to_nodes.setdefault(vip, set()).add(node)
-
-            dup_msgs = [
-                f"Found duplicate VIP {vip} in control-plane hosts {' and '.join(sorted(nodes))}"
-                for vip, nodes in vip_to_nodes.items()
-                if len(nodes) > 1
-            ]
-
-            if dup_msgs:
-                return self.create_result(
-                    title="VIP found in multiple nodes",
-                    content="\n".join(dup_msgs),
-                    severity="error",
-                )
-            return None
-
-        except Exception as e:
-            logger.error("Error in DuplicateVIP: %s", e)
-
-        return None
-
-
-class NameserverInClusterNetwork(ErrorSignature):
-    """Detect nameservers that overlap with cluster networks."""
-
-    NAMESERVER_PATTERN = re.compile(r"^nameserver (.*)$")
-
-    def _get_nameservers(self, log_analyzer, base_path: str):
-        nameservers = set()
-        # control-plane
-        try:
-            control_plane_dir = log_analyzer.logs_archive.get(
-                f"{base_path}/control-plane/"
-            )
-            for node_dir in self.archive_dir_contents(control_plane_dir):
-                node_ip = os.path.basename(node_dir)
-                try:
-                    resolvconf = log_analyzer.logs_archive.get(
-                        f"{base_path}/control-plane/{node_ip}/network/resolv.conf"
-                    )
-                except FileNotFoundError:
-                    continue
-                for line in resolvconf.splitlines():
-                    m = self.NAMESERVER_PATTERN.search(line)
-                    if m:
-                        nameservers.add(m.group(1))
-        except FileNotFoundError:
-            pass
-        # bootstrap
-        try:
-            resolvconf = log_analyzer.logs_archive.get(
-                f"{base_path}/bootstrap/network/resolv.conf"
-            )
-            for line in resolvconf.splitlines():
-                m = self.NAMESERVER_PATTERN.search(line)
-                if m:
-                    nameservers.add(m.group(1))
-        except FileNotFoundError:
-            pass
-        return nameservers
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        md = log_analyzer.metadata
-        cidrs = [
-            network["cidr"] for network in md["cluster"].get("cluster_networks", [])
-        ]
-        if not cidrs:
-            return None
-
-        report_lines = []
-        nameservers = self._get_nameservers(log_analyzer, LOG_BUNDLE_PATH)
-        for ns in nameservers:
-            for cidr in cidrs:
-                try:
-                    if ipaddress.ip_address(ns) in ipaddress.ip_network(
-                        cidr, strict=False
-                    ):
-                        report_lines.append(
-                            f"User defined nameserver {ns} overlaps with the cluster network {cidr}"
-                        )
-                except ValueError:
-                    continue
-        if report_lines:
-            return self.create_result(
-                title="Nameserver in internal network",
-                content="\n".join(sorted(set(report_lines))),
-                severity="error",
-            )
-        return None
-
-
-class NetworksMtuMismatch(ErrorSignature):
-    """Detect MTU mismatch between interface and overlay network."""
-
-    LOG_PATTERN = re.compile(
-        r"Failed to start sdn: interface MTU [(]([0-9]+)[)] is too small for specified overlay MTU [(]([0-9]+)[)]"
-    )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        path = "controller_logs.tar.gz/must-gather.tar.gz/must-gather.local.*/quay-io-openshift-release-dev-*/namespaces/openshift-sdn/pods/sdn-*/sdn/sdn/logs/*.log"
-        try:
-            sdn_logs = log_analyzer.logs_archive.get(path)
-        except FileNotFoundError:
-            return None
-        m = self.LOG_PATTERN.search(sdn_logs)
-        if m:
-            return self.create_result(
-                title="Networks MTU Mismatch",
-                content=f"SDN failed to start: Overlay (cluster) network MTU {m.group(2)} is bigger than the interface MTU {m.group(1)}",
-                severity="error",
-            )
-        return None
-
-
-class DualStackBadRoute(ErrorSignature):
-    """Looks for BZ 2088346 in ovnkube-node logs."""
-
-    fatal_error_regex = re.compile(
-        r"^F.*failed to get default gateway interface$", re.MULTILINE
-    )
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        path = f"{LOG_BUNDLE_PATH}/control-plane/*/containers/ovnkube-node-*.log"
-        try:
-            ovnkube_logs = log_analyzer.logs_archive.get(path)
-        except FileNotFoundError:
-            return None
-        if self.fatal_error_regex.search(ovnkube_logs):
-            return self.create_result(
-                title="Bugzilla 2088346",
-                content="ovnkube-node logs indicate the cluster may be hitting BZ 2088346",
-                severity="error",
-            )
-        return None
-
-
-class DualstackrDNSBug(ErrorSignature):
-    """Detect kube-apiserver 'must match public address family' message (MGMT-11651)."""
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        path = f"{LOG_BUNDLE_PATH}/bootstrap/containers/kube-apiserver-*.log"
-        try:
-            kubeapiserver_logs = log_analyzer.logs_archive.get(path)
-        except FileNotFoundError:
-            return None
-        if "must match public address family" in kubeapiserver_logs:
-            return self.create_result(
-                title="rDNS and DNS entries for IPv4/IPv6 interface - MGMT-11651",
-                content=(
-                    "kube-apiserver logs contain the message 'must match public address family', this is probably due to MGMT-11651"
-                ),
-                severity="warning",
-            )
-        return None
-
-
-class UserManagedNetworkingLoadBalancer(ErrorSignature):
-    """Detects UMN clusters where load-balancer related operators are the only unhealthy ones."""
-
-    lb_operators = {"authentication", "console", "ingress"}
-
-    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
-        metadata = log_analyzer.metadata
-        cluster_md = metadata.get("cluster", {})
-
-        if not cluster_md.get("user_managed_networking", False):
-            return None
-
-        if cluster_md.get("high_availability_mode") == "None":
-            return None
-
-        try:
-            controller_logs = log_analyzer.get_controller_logs()
-        except FileNotFoundError:
-            return None
-
-        operator_statuses = operator_statuses_from_controller_logs(controller_logs)
-
-        unhealthy_operators = filter_operators(
-            operator_statuses,
-            (("Degraded", True), ("Available", False), ("Progressing", True)),
-            aggregation_function=any,
-        )
-
-        unhealthy_keys = set(unhealthy_operators.keys())
-        if unhealthy_keys and unhealthy_keys.issubset(self.lb_operators):
-            content = "Cluster has user-managed networking and only load-balancer related operators seem to be unhealthy."
-            if missing := self.lb_operators - unhealthy_keys:
-                content += f" Operators missing from unhealthy set: {', '.join(sorted(missing))}."
-            return self.create_result(
-                title="Probably user managed load-balancer issues",
-                content=content,
-                severity="warning",
-            )
-
-        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/networks_mtu_mismatch.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/networks_mtu_mismatch.py
new file mode 100644
index 0000000..d002e25
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/networks_mtu_mismatch.py
@@ -0,0 +1,34 @@
+"""
+NetworksMtuMismatch signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class NetworksMtuMismatch(ErrorSignature):
+    """Detect MTU mismatch between interface and overlay network."""
+
+    LOG_PATTERN = re.compile(
+        r"Failed to start sdn: interface MTU [(]([0-9]+)[)] is too small for specified overlay MTU [(]([0-9]+)[)]"
+    )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        path = "controller_logs.tar.gz/must-gather.tar.gz/must-gather.local.*/quay-io-openshift-release-dev-*/namespaces/openshift-sdn/pods/sdn-*/sdn/sdn/logs/*.log"
+        try:
+            sdn_logs = log_analyzer.logs_archive.get(path)
+        except FileNotFoundError:
+            return None
+        m = self.LOG_PATTERN.search(sdn_logs)
+        if m:
+            return self.create_result(
+                title="Networks MTU Mismatch",
+                content=f"SDN failed to start: Overlay (cluster) network MTU {m.group(2)} is bigger than the interface MTU {m.group(1)}",
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/release_pull_error_signature.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/release_pull_error_signature.py
new file mode 100644
index 0000000..3871f83
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/release_pull_error_signature.py
@@ -0,0 +1,34 @@
+"""
+ReleasePullErrorSignature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+from .helpers import get_hostname
+
+logger = logging.getLogger(__name__)
+
+
+class ReleasePullErrorSignature(ErrorSignature):
+    """Finds clusters where release image cannot be pulled by bootstrap node."""
+
+    ERROR_PATTERN = re.compile(r"release-image-download\.sh\[.+\]: Pull failed")
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        hosts_sections = []
+        for host, journal_logs in log_analyzer.all_host_journal_logs():
+            if self.ERROR_PATTERN.findall(journal_logs):
+                hosts_sections.append(
+                    f"Release image cannot be pulled on {host['id']} ({get_hostname(host)})"
+                )
+
+        if hosts_sections:
+            return self.create_result(
+                title="Release image cannot be pulled",
+                content="\n".join(hosts_sections),
+                severity="error",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/performance.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/slow_image_download_signature.py
similarity index 76%
rename from assisted_service_mcp/src/utils/log_analyzer/signatures/performance.py
rename to assisted_service_mcp/src/utils/log_analyzer/signatures/slow_image_download_signature.py
index ce3b987..4af7630 100644
--- a/assisted_service_mcp/src/utils/log_analyzer/signatures/performance.py
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/slow_image_download_signature.py
@@ -1,13 +1,11 @@
 """
-Performance analysis signatures for OpenShift Assisted Installer logs.
-These signatures analyze installation performance and identify bottlenecks.
+SlowImageDownloadSignature for OpenShift Assisted Installer logs.
 """
 
 import logging
 import re
 from typing import Optional, List, Dict, Any
 
-
 from .base import ErrorSignature, SignatureResult
 
 logger = logging.getLogger(__name__)
@@ -45,20 +43,12 @@ def analyze(self, log_analyzer) -> Optional[SignatureResult]:
 
         return None
 
-    @classmethod
     def _list_image_download_info(
-        cls, events: List[Dict[str, Any]]
+        self, events: List[Dict[str, Any]]
     ) -> List[Dict[str, str]]:
         """Extract image download information from events."""
-
-        def get_image_download_info(event):
-            match = cls.image_download_regex.match(event["message"])
-            if match:
-                return match.groupdict()
-            return None
-
         return [
-            info
+            match.groupdict()
             for event in events
-            if (info := get_image_download_info(event)) is not None
+            if (match := self.image_download_regex.match(event["message"])) is not None
         ]
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/sno_hostname_has_etcd.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/sno_hostname_has_etcd.py
new file mode 100644
index 0000000..6754294
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/sno_hostname_has_etcd.py
@@ -0,0 +1,38 @@
+"""
+SNOHostnameHasEtcd signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+from typing import Optional
+
+from .base import ErrorSignature, SignatureResult
+from .helpers import get_hostname
+
+logger = logging.getLogger(__name__)
+
+
+class SNOHostnameHasEtcd(ErrorSignature):
+    """Looks for etcd in SNO hostname (OCPBUGS-15852)."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        """Analyze SNO hostname for etcd."""
+        try:
+            if not log_analyzer.cluster_is_sno():
+                return None
+
+            cluster = log_analyzer.metadata
+            if len(cluster["hosts"]) != 1:
+                return None
+
+            hostname = get_hostname(cluster["hosts"][0])
+            if "etcd" in hostname:
+                content = "Hostname cannot contain etcd, see https://issues.redhat.com/browse/OCPBUGS-15852"
+
+                return self.create_result(
+                    title="No etcd in SNO hostname", content=content, severity="error"
+                )
+
+        except Exception as e:
+            logger.error("Error in SNOHostnameHasEtcd: %s", e)
+
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/sno_machine_cidr_signature.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/sno_machine_cidr_signature.py
new file mode 100644
index 0000000..1de2beb
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/sno_machine_cidr_signature.py
@@ -0,0 +1,57 @@
+"""
+SNOMachineCidrSignature for OpenShift Assisted Installer logs.
+"""
+
+import ipaddress
+import json
+import logging
+from typing import Optional
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class SNOMachineCidrSignature(Signature):
+    """Validates machine CIDR configuration for SNO clusters."""
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        """Analyze SNO machine CIDR configuration."""
+        try:
+            if not log_analyzer.cluster_is_sno():
+                return None
+
+            cluster = log_analyzer.metadata
+            if not cluster.get("hosts"):
+                return None
+            host = cluster["hosts"][0]
+            inventory = json.loads(host["inventory"])
+
+            # The first one is the machine_cidr that will be used for network configuration
+            machine_cidr = ipaddress.ip_network(cluster["machine_networks"][0]["cidr"])
+
+            for route in inventory.get("routes", []):
+                # currently only relevant for ipv4
+                if (
+                    route.get("destination") == "0.0.0.0"
+                    and route.get("gateway")
+                    and ipaddress.ip_address(route["gateway"]) in machine_cidr
+                ):
+                    return None
+
+            content = (
+                f"Machine cidr {machine_cidr} doesn't match any default route configured on the host.\n"
+                f"It will cause etcd certificate error (or some other) as kubelet and OVNKubernetes will not run with expected machine cidr.\n"
+                f"We hope it will be fixed after https://issues.redhat.com/browse/SDN-3053"
+            )
+
+            return SignatureResult(
+                signature_name=self.name,
+                title="Invalid Machine CIDR",
+                content=content,
+                severity="error",
+            )
+
+        except Exception as e:
+            logger.error("Error in SNOMachineCidrSignature: %s", e)
+            return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/user_has_logged_into_cluster.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/user_has_logged_into_cluster.py
new file mode 100644
index 0000000..e0f5310
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/user_has_logged_into_cluster.py
@@ -0,0 +1,35 @@
+"""
+UserHasLoggedIntoCluster signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+import re
+from typing import Optional
+
+from .base import Signature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class UserHasLoggedIntoCluster(Signature):
+    """Detect user login to cluster nodes during installation."""
+
+    USER_LOGIN_PATTERN = re.compile(
+        r"pam_unix\((sshd|login):session\): session opened for user .+ by"
+    )
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        msgs = []
+        for host, journal_logs in log_analyzer.all_host_journal_logs():
+            if self.USER_LOGIN_PATTERN.findall(journal_logs):
+                msgs.append(
+                    f"Host {host['id']}: found evidence of a user login during installation. This might indicate that some settings have been changed manually; if incorrect they could contribute to failure."
+                )
+        if msgs:
+            return SignatureResult(
+                signature_name=self.name,
+                title="User has logged into cluster nodes during installation",
+                content="\n".join(msgs),
+                severity="warning",
+            )
+        return None
diff --git a/assisted_service_mcp/src/utils/log_analyzer/signatures/user_managed_networking_load_balancer.py b/assisted_service_mcp/src/utils/log_analyzer/signatures/user_managed_networking_load_balancer.py
new file mode 100644
index 0000000..5149852
--- /dev/null
+++ b/assisted_service_mcp/src/utils/log_analyzer/signatures/user_managed_networking_load_balancer.py
@@ -0,0 +1,56 @@
+"""
+UserManagedNetworkingLoadBalancer signature for OpenShift Assisted Installer logs.
+"""
+
+import logging
+from typing import Optional
+
+from assisted_service_mcp.src.utils.log_analyzer.signatures.helpers import (
+    operator_statuses_from_controller_logs,
+    filter_operators,
+)
+
+from .base import ErrorSignature, SignatureResult
+
+logger = logging.getLogger(__name__)
+
+
+class UserManagedNetworkingLoadBalancer(ErrorSignature):
+    """Detects UMN clusters where load-balancer related operators are the only unhealthy ones."""
+
+    lb_operators = {"authentication", "console", "ingress"}
+
+    def analyze(self, log_analyzer) -> Optional[SignatureResult]:
+        metadata = log_analyzer.metadata
+
+        if not metadata.get("user_managed_networking", False):
+            return None
+
+        if metadata.get("high_availability_mode") == "None":
+            return None
+
+        try:
+            controller_logs = log_analyzer.get_controller_logs()
+        except FileNotFoundError:
+            return None
+
+        operator_statuses = operator_statuses_from_controller_logs(controller_logs)
+
+        unhealthy_operators = filter_operators(
+            operator_statuses,
+            (("Degraded", True), ("Available", False), ("Progressing", True)),
+            aggregation_function=any,
+        )
+
+        unhealthy_keys = set(unhealthy_operators.keys())
+        if unhealthy_keys and unhealthy_keys.issubset(self.lb_operators):
+            content = "Cluster has user-managed networking and only load-balancer related operators seem to be unhealthy."
+            if missing := self.lb_operators - unhealthy_keys:
+                content += f" Operators missing from unhealthy set: {', '.join(sorted(missing))}."
+            return self.create_result(
+                title="Probably user managed load-balancer issues",
+                content=content,
+                severity="warning",
+            )
+
+        return None
diff --git a/tests/metrics/__init__.py b/tests/metrics/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/test_metrics.py b/tests/metrics/test_metrics.py
similarity index 100%
rename from tests/test_metrics.py
rename to tests/metrics/test_metrics.py
diff --git a/tests/service_client/__init__.py b/tests/service_client/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/test_assisted_service_api.py b/tests/service_client/test_assisted_service_api.py
similarity index 100%
rename from tests/test_assisted_service_api.py
rename to tests/service_client/test_assisted_service_api.py
diff --git a/tests/test_helpers.py b/tests/service_client/test_helpers.py
similarity index 100%
rename from tests/test_helpers.py
rename to tests/service_client/test_helpers.py
diff --git a/tests/test_service_client_api.py b/tests/service_client/test_service_client_api.py
similarity index 100%
rename from tests/test_service_client_api.py
rename to tests/service_client/test_service_client_api.py
diff --git a/tests/src/__init__.py b/tests/src/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/test_api.py b/tests/src/test_api.py
similarity index 100%
rename from tests/test_api.py
rename to tests/src/test_api.py
diff --git a/tests/test_logger.py b/tests/src/test_logger.py
similarity index 100%
rename from tests/test_logger.py
rename to tests/src/test_logger.py
diff --git a/tests/test_mcp.py b/tests/src/test_mcp.py
similarity index 100%
rename from tests/test_mcp.py
rename to tests/src/test_mcp.py
diff --git a/tests/test_settings.py b/tests/src/test_settings.py
similarity index 100%
rename from tests/test_settings.py
rename to tests/src/test_settings.py
diff --git a/tests/tools/__init__.py b/tests/tools/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/test_shared_helpers.py b/tests/tools/test_shared_helpers.py
similarity index 100%
rename from tests/test_shared_helpers.py
rename to tests/tools/test_shared_helpers.py
diff --git a/tests/test_tools_module.py b/tests/tools/test_tools_module.py
similarity index 100%
rename from tests/test_tools_module.py
rename to tests/tools/test_tools_module.py
diff --git a/tests/utils/__init__.py b/tests/utils/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/utils/log_analyzer/__init__.py b/tests/utils/log_analyzer/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/utils/log_analyzer/signatures/__init__.py b/tests/utils/log_analyzer/signatures/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/test_advanced_analysis.py b/tests/utils/log_analyzer/signatures/test_container_crash_analysis.py
similarity index 99%
rename from tests/test_advanced_analysis.py
rename to tests/utils/log_analyzer/signatures/test_container_crash_analysis.py
index d9e7b45..b99dff3 100644
--- a/tests/test_advanced_analysis.py
+++ b/tests/utils/log_analyzer/signatures/test_container_crash_analysis.py
@@ -1,5 +1,5 @@
 """
-Unit tests for advanced analysis signatures.
+Unit tests for ContainerCrashAnalysis signature.
 """
 
 from pathlib import Path
@@ -10,7 +10,7 @@
     LogAnalyzer,
     LOG_BUNDLE_PATH,
 )
-from assisted_service_mcp.src.utils.log_analyzer.signatures.advanced_analysis import (
+from assisted_service_mcp.src.utils.log_analyzer.signatures.container_crash_analysis import (
     ContainerCrashAnalysis,
 )
 from assisted_service_mcp.src.utils.log_analyzer.signatures.base import SignatureResult
diff --git a/tests/utils/log_analyzer/signatures/test_slow_image_download_signature.py b/tests/utils/log_analyzer/signatures/test_slow_image_download_signature.py
new file mode 100644
index 0000000..91f78e0
--- /dev/null
+++ b/tests/utils/log_analyzer/signatures/test_slow_image_download_signature.py
@@ -0,0 +1,231 @@
+"""
+Unit tests for SlowImageDownloadSignature.
+"""
+
+from unittest.mock import MagicMock
+from typing import Dict, Any
+
+from assisted_service_mcp.src.utils.log_analyzer.signatures.slow_image_download_signature import (
+    SlowImageDownloadSignature,
+)
+
+
+def create_image_download_event(
+    hostname: str, image: str, download_rate: str
+) -> Dict[str, Any]:
+    """Create a mock event with image download information."""
+    return {
+        "message": f"Host {hostname}: New image status {image}. result: success; download rate: {download_rate} MBps",
+        "name": "image_download",
+    }
+
+
+class TestSlowImageDownloadSignature:
+    """Test cases for SlowImageDownloadSignature."""
+
+    def test_no_slow_downloads_returns_none(self) -> None:
+        """Test that signature returns None when all downloads are fast."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        # All downloads are above the minimum threshold (10 MBps)
+        events = [
+            create_image_download_event("host1", "image1", "15.5"),
+            create_image_download_event("host2", "image2", "20.0"),
+            create_image_download_event("host3", "image3", "12.3"),
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is None
+
+    def test_slow_downloads_detected(self) -> None:
+        """Test that signature detects slow downloads."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        # Mix of fast and slow downloads
+        events = [
+            create_image_download_event("host1", "image1", "15.5"),  # Fast
+            create_image_download_event("host2", "image2", "5.2"),  # Slow
+            create_image_download_event("host3", "image3", "8.1"),  # Slow
+            create_image_download_event("host4", "image4", "20.0"),  # Fast
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is not None
+        assert result.title == "Slow Image Download"
+        assert result.severity == "warning"
+        assert "Detected slow image download rate" in result.content
+        assert "host2" in result.content
+        assert "host3" in result.content
+        assert "image2" in result.content
+        assert "image3" in result.content
+        assert "5.2" in result.content
+        assert "8.1" in result.content
+
+    def test_all_slow_downloads(self) -> None:
+        """Test that signature detects when all downloads are slow."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        events = [
+            create_image_download_event("host1", "image1", "3.5"),
+            create_image_download_event("host2", "image2", "7.8"),
+            create_image_download_event("host3", "image3", "9.9"),
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is not None
+        assert result.title == "Slow Image Download"
+        assert "host1" in result.content
+        assert "host2" in result.content
+        assert "host3" in result.content
+
+    def test_download_rate_at_threshold(self) -> None:
+        """Test that download rate exactly at threshold is not considered slow."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        # Exactly at threshold (10.0 MBps)
+        events = [
+            create_image_download_event("host1", "image1", "10.0"),
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is None
+
+    def test_download_rate_just_below_threshold(self) -> None:
+        """Test that download rate just below threshold is detected."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        # Just below threshold (9.999 MBps)
+        events = [
+            create_image_download_event("host1", "image1", "9.999"),
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is not None
+        assert "host1" in result.content
+
+    def test_no_image_download_events(self) -> None:
+        """Test that signature returns None when there are no image download events."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        events = [
+            {"message": "Some other event", "name": "other_event"},
+            {"message": "Another event", "name": "another_event"},
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is None
+
+    def test_empty_events_list(self) -> None:
+        """Test that signature handles empty events list."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        log_analyzer.get_last_install_cluster_events.return_value = []
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is None
+
+    def test_malformed_image_download_event(self) -> None:
+        """Test that signature handles malformed image download events gracefully."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        events = [
+            create_image_download_event(
+                "host1", "image1", "5.0"
+            ),  # Valid slow download
+            {
+                "message": "Host host2: Invalid format",
+                "name": "image_download",
+            },  # Malformed
+            create_image_download_event(
+                "host3", "image3", "8.0"
+            ),  # Valid slow download
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is not None
+        # Should only include valid slow downloads
+        assert "host1" in result.content
+        assert "host3" in result.content
+        assert "host2" not in result.content
+
+    def test_exception_handling(self) -> None:
+        """Test that signature handles exceptions gracefully."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        # Simulate an exception when getting events
+        log_analyzer.get_last_install_cluster_events.side_effect = Exception(
+            "Test error"
+        )
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is None
+
+    def test_invalid_download_rate_format(self) -> None:
+        """Test that signature handles invalid download rate formats gracefully."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        # Create event with invalid download rate that can't be converted to float
+        events = [
+            create_image_download_event("host1", "image1", "invalid"),
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        # Should catch ValueError and return None (exception is logged but not raised)
+        result = signature.analyze(log_analyzer)
+        assert result is None
+
+    def test_multiple_slow_downloads_same_host(self) -> None:
+        """Test that signature detects multiple slow downloads from the same host."""
+        signature = SlowImageDownloadSignature()
+        log_analyzer = MagicMock()
+
+        events = [
+            create_image_download_event("host1", "image1", "4.5"),
+            create_image_download_event("host1", "image2", "6.2"),
+            create_image_download_event("host1", "image3", "7.8"),
+        ]
+        log_analyzer.get_last_install_cluster_events.return_value = events
+
+        result = signature.analyze(log_analyzer)
+
+        assert result is not None
+        assert result.content.count("host1") == 3  # Should appear 3 times in the table
+        assert "image1" in result.content
+        assert "image2" in result.content
+        assert "image3" in result.content
+
+    def test_signature_name_property(self) -> None:
+        """Test that signature name is set correctly."""
+        signature = SlowImageDownloadSignature()
+        assert signature.name == "SlowImageDownloadSignature"
+
+    def test_minimum_download_rate_threshold(self) -> None:
+        """Test that the minimum download rate threshold is correct."""
+        signature = SlowImageDownloadSignature()
+        assert signature.minimum_download_rate_mb == 10
diff --git a/tests/test_log_analyzer.py b/tests/utils/log_analyzer/test_log_analyzer.py
similarity index 91%
rename from tests/test_log_analyzer.py
rename to tests/utils/log_analyzer/test_log_analyzer.py
index dde7acd..ec24589 100644
--- a/tests/test_log_analyzer.py
+++ b/tests/utils/log_analyzer/test_log_analyzer.py
@@ -22,13 +22,11 @@ def test_log_analyzer_metadata_and_events_partitioning() -> None:
 
     # minimal metadata and events
     md = {
-        "cluster": {
-            "install_started_at": "2025-01-01T00:00:00Z",
-            "hosts": [
-                {"id": "h1", "deleted_at": "2024-12-31T23:00:00Z"},
-                {"id": "h2"},
-            ],
-        }
+        "install_started_at": "2025-01-01T00:00:00Z",
+        "hosts": [
+            {"id": "h1", "deleted_at": "2024-12-31T23:00:00Z"},
+            {"id": "h2"},
+        ],
     }
     events = [
         {"name": "something"},
@@ -48,7 +46,7 @@ def _get(path: str, **kwargs: Any) -> str:  # pylint: disable=unused-argument
         if path == "cluster_metadata.json":
             import json
 
-            return json.dumps(md["cluster"])  # analyzer wraps it into {"cluster":...}
+            return json.dumps(md)  # metadata is used directly without wrapping
         if path == "cluster_events.json":
             import json
 
@@ -60,7 +58,7 @@ def _get(path: str, **kwargs: Any) -> str:  # pylint: disable=unused-argument
     la = LogAnalyzer(archive)  # type: ignore[arg-type]
     m = la.metadata
     assert m is not None
-    assert "deleted_hosts" in m["cluster"] and len(m["cluster"]["deleted_hosts"]) == 1
+    assert "deleted_hosts" in m and len(m["deleted_hosts"]) == 1
     # last partition should only include post-reset events
     last_events = la.get_last_install_cluster_events()
     assert last_events and last_events[0]["name"] == "something_else"
@@ -111,7 +109,7 @@ async def run() -> None:
 
 def test_basic_info_signature_runs() -> None:
     from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import LogAnalyzer
-    from assisted_service_mcp.src.utils.log_analyzer.signatures.basic_info import (
+    from assisted_service_mcp.src.utils.log_analyzer.signatures.components_version_signature import (
         ComponentsVersionSignature,
     )
 
@@ -129,7 +127,7 @@ def test_basic_info_signature_runs() -> None:
 
 def test_error_detection_signature_no_crash() -> None:
     from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import LogAnalyzer
-    from assisted_service_mcp.src.utils.log_analyzer.signatures.error_detection import (
+    from assisted_service_mcp.src.utils.log_analyzer.signatures.sno_hostname_has_etcd import (
         SNOHostnameHasEtcd,
     )
 
@@ -147,7 +145,7 @@ def test_error_detection_signature_no_crash() -> None:
 
 def test_networking_signature_no_crash() -> None:
     from assisted_service_mcp.src.utils.log_analyzer.log_analyzer import LogAnalyzer
-    from assisted_service_mcp.src.utils.log_analyzer.signatures.networking import (
+    from assisted_service_mcp.src.utils.log_analyzer.signatures.sno_machine_cidr_signature import (
         SNOMachineCidrSignature,
     )
 
diff --git a/tests/utils/static_net/__init__.py b/tests/utils/static_net/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/tests/test_static_net.py b/tests/utils/static_net/test_static_net.py
similarity index 100%
rename from tests/test_static_net.py
rename to tests/utils/static_net/test_static_net.py
diff --git a/tests/test_auth.py b/tests/utils/test_auth.py
similarity index 75%
rename from tests/test_auth.py
rename to tests/utils/test_auth.py
index 6635013..cc25b9b 100644
--- a/tests/test_auth.py
+++ b/tests/utils/test_auth.py
@@ -1,11 +1,13 @@
 import types
 import importlib
+import sys
+from typing import Iterator
 from unittest.mock import Mock, patch, MagicMock
 import requests
 
 import pytest
 
-from assisted_service_mcp.utils import auth as auth_mod
+# Don't import auth at module level - import it fresh in each test
 
 
 class _ReqCtx:
@@ -25,19 +27,38 @@ def get_context(self) -> object:  # noqa: D401
         return self._ctx
 
 
+@pytest.fixture(autouse=True)
+def reset_auth_module() -> Iterator[None]:
+    """Reload auth module before each test to ensure clean state."""
+    module_name = "assisted_service_mcp.utils.auth"
+    if module_name in sys.modules:
+        importlib.reload(sys.modules[module_name])
+    yield
+    # Cleanup: reload again after test to reset any patches
+    if module_name in sys.modules:
+        importlib.reload(sys.modules[module_name])
+
+
 def test_get_offline_token_prefers_settings_env() -> None:
+    # Import fresh for each test
+    from assisted_service_mcp.utils import auth as auth_mod
+
     with patch("assisted_service_mcp.src.settings.settings.OFFLINE_TOKEN", "env-token"):
         mcp = _MCP(headers={"OCM-Offline-Token": "header-token"})
         assert auth_mod.get_offline_token(mcp) == "env-token"
 
 
 def test_get_offline_token_from_header_when_no_env() -> None:
+    from assisted_service_mcp.utils import auth as auth_mod
+
     with patch("assisted_service_mcp.src.settings.settings.OFFLINE_TOKEN", None):
         mcp = _MCP(headers={"OCM-Offline-Token": "header-token"})
         assert auth_mod.get_offline_token(mcp) == "header-token"
 
 
 def test_get_offline_token_raises_when_missing() -> None:
+    from assisted_service_mcp.utils import auth as auth_mod
+
     with patch("assisted_service_mcp.src.settings.settings.OFFLINE_TOKEN", None):
         mcp = _MCP(headers={})
         with pytest.raises(RuntimeError):
@@ -45,12 +66,16 @@ def test_get_offline_token_raises_when_missing() -> None:
 
 
 def test_get_access_token_from_authorization_header() -> None:
+    from assisted_service_mcp.utils import auth as auth_mod
+
     mcp = _MCP(headers={"Authorization": "Bearer abc"})
     assert auth_mod.get_access_token(mcp) == "abc"
 
 
 @patch("requests.post")
 def test_get_access_token_via_offline_token(mock_post: Mock) -> None:  # type: ignore[no-untyped-def]
+    from assisted_service_mcp.utils import auth as auth_mod
+
     mcp = _MCP(headers={})
 
     with (
@@ -76,8 +101,8 @@ def test_get_access_token_sso_request_exception() -> None:
     with (
         patch("assisted_service_mcp.utils.auth.requests.post") as mock_post,
         patch(
-            "assisted_service_mcp.utils.auth.get_setting",
-            side_effect=lambda k: "https://sso.example.com" if k == "SSO_URL" else "",
+            "assisted_service_mcp.src.settings.settings.SSO_URL",
+            "https://sso.example.com",
         ),
     ):
         mock_post.side_effect = requests.exceptions.RequestException("network error")
@@ -99,8 +124,8 @@ def test_get_access_token_invalid_json_response() -> None:
     with (
         patch("assisted_service_mcp.utils.auth.requests.post", return_value=mock_resp),
         patch(
-            "assisted_service_mcp.utils.auth.get_setting",
-            side_effect=lambda k: "https://sso.example.com" if k == "SSO_URL" else "",
+            "assisted_service_mcp.src.settings.settings.SSO_URL",
+            "https://sso.example.com",
         ),
     ):
         with pytest.raises(RuntimeError, match="Invalid SSO response"):